Test Planning - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Test Planning

Description:

The Bill raced through congress and was signed by the president in less than 100 ... AI: Install and Accredit. DS: Manage Service Desk & Incidents. DS: Manage Problems ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 18
Provided by: davidth7
Category:

less

Transcript and Presenter's Notes

Title: Test Planning


1
SOX How did we get here and where are we going?
Outline
  • A Little History.
  • Some Definitions.
  • Section 404.
  • Internal Controls.
  • Testing.
  • Summary.
  • Q A.

Presented by David Thompson, SISQA david.thompson
_at_supervalu.com
May 2009
2
HistoryWhat caused it?
  • President George W. Bush signed the
    Sarbanes-Oxley (SOX) Act, H.R. 3763 into law on
    July 30, 2002.
  • The Bill raced through congress and was signed by
    the president in less than 100 days from the time
    it was first approved in House.
  • Senator Paul S. Sarbanes and Representative
    Michael G. Oxley were the bills sponsors
    therefore, we get the common identifier SOX.

3
History What Went Wrong?
  • Enron was the first corporation in 2001 that
    showed egregious signs of mismanagement and filed
    for bankruptcy in the same year.
  • Global Crossing concealed its financial position
    from the public and had to file for bankruptcy.
  • WorldCom overstated earnings by 3.8 billion in
    one of the largest cases of bookkeeping fraud.
  • Tyco gave millions of dollars in questionable
    bonuses, loans, and other payments to its upper
    management.
  • The founders of Adelphia Communications could not
    account for 2.3 billion dollars and were
    convicted of defrauding the company.
  • All in all, a pretty good couple of years dont
    you think?

4
HistoryWhere weve been
  • The idea of corporate responsibility and of
    requiring corporations to attest to their
    internal controls is not new. It is essentially
    the same information that was called for in 1978
    by the commission of Auditors Responsibilities,
    better known as the Cohen Commission (Gupta
    Leech, 2006, 8).
  • 23 years later Congress had to enforce corporate
    governance instead of industry self regulating
    itself and after how many billions of dollars
    lost, lives destroyed, and retirements postponed.
  • A company must report SOX compliance on its
    annual 10K form.

5
Definitions
  • Internal Control - The policies, procedures,
    practices and organizational structures designed
    to provide reasonable assurance that business
    objectives will be achieved and that undesired
    events will be prevented or detected and
    corrected (COBIT framework, 1998, p. 13).
  • Material Weakness - a deficiency, or combination
    of deficiencies, in internal control over
    financial reporting, such that there is a
    reasonable possibility that a material
    misstatement of the registrants annual or
    interim financial statements will not be
    prevented or detected on a timely basis
    (Definition, 2007).
  • Significant Deficiency - A deficiency, or a
    combination of deficiencies, in internal control
    over financial reporting that is less severe than
    a material weakness, yet important enough to
    merit attention by those responsible for
    oversight of the registrants financial
    reporting (Definition, 2007).

6
What is Section 404?
  • Lets back up a minute
  • The SOX law is made up of 11 Titles.
  • Section 4 contains a wealth of information on
    what companies have to do.
  • It is the Enhanced Disclosure Law.
  • Section 4 is made up of 9 subsections.
  • Section 404 is the 4th subsection of Title IV of
    the law that we, as IT people, will be most
    concerned with.
  • Section 404 has only 170 words, the
    interpretation of those words has led to many
    different ways for companies to document their
    internal controls.
  • The COSO framework (which can be acquired here
    http//www.coso.org/IC.htm) is generally accepted
    as the model to guide the creation and assurance
    of internal processes in financial reporting.
  • However, COSO is lacks practical steps and
    guidance to evaluate whether a company has an
    effective system of internal control over
    financial reporting.

7
What is Section 404?Cobit to the rescue
0101
0101
  • Cobit (Committee OBjectives for Information and
    related Technology) fills the void of how to
    interpret section 404.
  • To govern IT effectively, Cobit defines 4
    domains
  • Plan and Organise (PO)Provides direction to
    solution delivery (AI) and service delivery (DS)
    - 10 Controls
  • Acquire and Implement (AI)Provides the solutions
    and passes them to be turned into services 7
    Controls
  • Deliver and Support (DS)Receives the solutions
    and makes them usable for end users 13 Controls
  • Monitor and Evaluate (ME)Monitors all processes
    to ensure that the direction provided is followed
    4 Controls

8
What is Section 404?Cobit to the rescue
  • A company need only comply with the controls that
    are pertinent for them.
  • I am personally involved with 7 controls, which
    are probably implemented at most companies.
  • Here are the 7 Internal Controls Im involved
    with
  • AI Manage Change
  • AI Install and Accredit
  • DS Manage Service Desk Incidents
  • DS Manage Problems
  • DS Manage Data
  • DS Manage Physical Environment
  • DS Manage Operations
  • We chose not to comply with DS Manage
    Configuration. You might think everyone would
    need to comply with this and so do I. Im
    working on this one

9
Internal Controls
  • But what is an internal control
  • In a general sense, a control is defined as The
    policies, procedures, practices and
    organizational structures designed to provide
    reasonable assurance that business objectives
    will be achieved and that undesired events will
    be prevented or detected and corrected (COBIT
    framework, 1998, p. 13).
  • Internal controls should be defined in a way that
    reduces or eliminates risk. The higher the risk
    of a material weakness occurring requires the
    greatest amount of work in elimination or
    mitigation of that risk.
  • Internal controls can detect and correct errors
    or they can prevent errors.
  • Which type would be preferred?
  • Which type would require more time and effort to
    create and document?
  • Most of the controls will probably be detect
    controls.
  • Internal controls that prevent or detect material
    weaknesses are key controls.
  • Therefore, the key focus on internal controls is
    key controls this is where the most time in
    understanding and testing should occur.

10
Internal Controls
  • How to document an internal control
  • 3 generally accepted methods
  • Flowcharting
  • Narrative
  • Matrix
  • Each method has is advantages and disadvantages,
    but I wont get into them here. We currently use
    narratives.
  • I like narratives because
  • Once written they can be used as a training aid
    or given to others to test.
  • They can be precise.
  • They are usually easy to follow.
  • I dont like narratives because
  • The ambiguity of the English language it can
    and usually does take multiple revisions to get
    it right.

11
Testing Internal Controls
  • This is probably near and dear to all of our
    hearts here
  • Think of testing internal controls the same way
    you would test software all the things youve
    learned and all the things in the CBOK still
    apply.
  • Simply create a test procedure, like you would
    for any test and record your results. Be sure
    the results consist of all reporting
    documentation and how the sample size / audit
    pool was created.
  • So what is an audit pool and how do you create
    one
  • An audit pool is a subset of the records being
    reviewed.
  • Audit pools can be created in a number of ways
    randomly, judgmentally, or all records can be
    chosen.
  • Why would we choose an audit pool of a certain
    size?
  • Confidence level, Tolerable rate of error, and
    Expected error rate of the population
  • A website to create an audit pool based on the
    above criteria can be found here
    http//www.raosoft.com/samplesize.html

12
Testing Internal Controls Sample Sizes
(continued)
  • For SOX, generally accepted sample sizes based on
    the frequency of the control are
  • Yearly 1.
  • Quarterly 2 to 3.
  • Monthly 2 to 6.
  • Weekly 5 to 15.
  • Daily 25 to 60.
  • I perform testing throughout the year so my goal
    is to use the largest sample size possible so our
    confidence level is highest when we are
    externally audited. I will use all the records
    available if possible i.e., I have an automated
    test. Sometimes this can mean 1200 records.
  • An external auditor usually sticks to the
    generally accepted values noted above when they
    audit a company.

13
Testing Internal ControlsThings to remember
  • Do everything you normally would when you test
    software .
  • Do everything you normally would when you report
    your testing.
  • Use you tool box youve created being a software
    tester.
  • Record everything
  • How a sample was created
  • Who was spoken too
  • What was the criteria used for determining
    success
  • The very specifics of each test failure and why
    it was classified as a failure

14
Summary
  • Things to remember
  • Testing of internal controls for SOX is highly
    visible, so you want to be able to express the
    current state of testing very simply to
    management Ive created a Red, ,
    Green method of grading our controls.
  • SOX section 404 may not reduce the chances of a
    financial misstatement but
  • Any shortcomings found with the internal controls
    are really exposing problems with a process in
    your company and rectifying that problem will
    improve the operations of your company.
  • Many complaints circulate about the cost of SOX
    and the added responsibility of SOX. SOX section
    404 is just ensuring what a company should
    already be doing for their best interest.
  • Internal control testing should be performed
    throughout the year and not just at year end
    (when the external auditor comes).
  • If the company has to report a material weakness,
    it could very well mean that the stock price will
    take a hit.
  • If the material weakness could have been exposed
    by internal testing, but wasnt exposed until
    external testing and you were the tester Id
    start looking for a new job.

Yellow
15
References
  • COBIT framework (2 ed.). (1998). Rolling Meadows,
    IL Information Systems Audit And Control
    Foundation.
  • Davern, A., Lee, M., Palafoutas, J. (2005).
    Sarbanes-Oxley section 404The section of
    unintended consequences and its impact on small
    business. Retrieved from http//www.aeanet.org/gov
    ernmentaffairs/AeASOXPaperFinal021005.asp
  • Definition of the Term Significant Deficiency, 17
    Securities and Exchange Commission 210 and 240
    (2007).
  • Financial Executives International . (2006).
    Sarbanes-Oxley section 404 implementation survey
    PowerPoint slides. Retrieved from
    http//www2.financialexecutives.org/news/404_surve
    y_4_6_06.cfm?
  • Financial Executives International. (2005).
    Sarbanes-Oxley section 404 implementation survey
    PowerPoint slides. Retrieved from
    http//www.financialexecutives.org/EWEB/DynamicPag
    e.aspx?webcodeadv_SOX404_survey_3_21_05
  • Gilbert Welytok, J. (2008). Sarbanes-Oxley for
    dummies (2 ed.). Indianapolis, IN Wiley
    Publishing, Inc..
  • Giordano, R. E. (2007). Enabling efficient small
    and midcap Sarbanes-Oxley 404 compliance --
    Check the (Sar)Box. International Journal of
    Disclosure and Governance, 4(1), 42-51. Retrieved
    from http//proquest.umi.com

16
References
  • Gupta, P. P., Leech, T. (2006). Making
    Sarbanes-Oxley 404 work Reducing cost,
    increasing effectiveness. International Journal
    of Disclosure and Governance, 3(1), 27-48.
    Retrieved from http//proquest.umi.com
  • IT Governance Institute, (2006). IT control
    objectives for Sarbanes-Oxley. Retrieved from
    https//www.isaca.org/Template.cfm?SectionSecurit
    yCONTENTID45261TEMPLATE/MembersOnly.cfm
  • IT Governance Institute, (2007). Cobit 4.1.
    Retrieved from http//www.isaca.org/Content/Naviga
    tionMenu/Members_and_Leaders1/COBIT6/Obtain_COBIT/
    Obtain_COBIT.htm
  • Institute of Internal Auditors, (2008).
    Sarbanes-Oxley section 404A guide for management
    by internal controls practitioners. Available
    from http//www.theiia.org/download.cfm?file31866
  • Keating, E. (2006). Sarbanes-Oxley Act how did
    we get here?. Retrieved from CasePlace.org
    http//www.caseplace.org/d.asp?d2644
  • Linkous, J. (2008). Put the i in IT compliance.
    Communications News, 45(12), 26,28. Retrieved
    from http//proquest.umi.com
  • Ramos, M. J. (2008). How to comply with
    Sarbanes-Oxley section 404Assessing the
    effectiveness of internal control (3 ed.).
    Hoboken, NJ John Wiley Sons, Inc.
  • Sarbanes-Oxley Act, 7201 U.S.C. 107-2004
    (Public Company Accounting Oversight Board 2002).
    It can be found here http//www.sec.gov/about/la
    ws/soa2002.pdf
  • Special Report A price worth paying? - Auditing
    Sarbanes-Oxley Sarbanes-Oxley. (2005). The
    Economist, 375(8427). Retrieved from
    http//proquest.umi.com

17
Questions Answers
Write a Comment
User Comments (0)
About PowerShow.com